Bitcoin Forum
March 28, 2024, 02:58:10 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Faucet hacked - need brains to help  (Read 219 times)
Adam556 (OP)
Full Member
***
Offline Offline

Activity: 953
Merit: 102


★★ freecoyn.com ★★


View Profile WWW
August 05, 2018, 10:31:22 AM
 #1

Haha, well I quickly found out the hard way about faucet security.

Having been assured by the creator of the first faucet script I used on my WP site that it was completely secure - it clearly wasn't!

Faucet was emptied last night (about 5,000 sats) to this IP: 91.208.99.2

That'll teach me! No re-fill until I figure out what went wrong. Any help would be appreciated.

- http://freecoyn.com/free-bitcoin-faucet/

Thanks Smiley

>> THECRYPTOADVISER.CO.UK - Crypto blog, guides, features & news <<
>> Freebitco.in - Win a LAMBO! Faucet, betting + EARN INTEREST on your BTC <<
>> Cointiply - high paying SURVEYS, BTC faucet, videos, Jackpot, PPC, PVP game soon <<
1711637890
Hero Member
*
Offline Offline

Posts: 1711637890

View Profile Personal Message (Offline)

Ignore
1711637890
Reply with quote  #2

1711637890
Report to moderator
If you want to be a moderator, report many posts with accuracy. You will be noticed.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711637890
Hero Member
*
Offline Offline

Posts: 1711637890

View Profile Personal Message (Offline)

Ignore
1711637890
Reply with quote  #2

1711637890
Report to moderator
1711637890
Hero Member
*
Offline Offline

Posts: 1711637890

View Profile Personal Message (Offline)

Ignore
1711637890
Reply with quote  #2

1711637890
Report to moderator
Kema
Full Member
***
Offline Offline

Activity: 630
Merit: 100



View Profile WWW
August 05, 2018, 03:57:24 PM
 #2

My condolences, it really sucks when stuff like that happens.
Being an amateur coder and all, I’ve been working on security continuously for my faucets. So, since I’m an amateur myself, I can’t offer any “truths”.
But the following should help... stay away from cookie cutter solutions. If you run a custom script, any malicious individuals will have to write a custom hack for your specific faucet.
Sanitize any and all user input, lock down access to script execution and reduce the number of attack surfaces as much as possible.
I have yet to find the magic bullet when it comes to bots and they can can empty a faucet real fast if given an opening.

Don't just short links, ezLink them!
Mist3rX
Jr. Member
*
Offline Offline

Activity: 113
Merit: 1

Unknown


View Profile
August 05, 2018, 04:50:35 PM
 #3

Just to mention it, the ip you wrote is a anonymous proxy.

Best regards Smiley
fufufuwu
Jr. Member
*
Offline Offline

Activity: 319
Merit: 2


View Profile
August 05, 2018, 05:01:30 PM
 #4

Make sure that your connection with FaucetHub API is secure and cannot be altered with any parameters in the faucet's URL or values you're using on your website (if you are using username/passwords). Don't rely on GET php parameters, because they can be changed super easily and may break your faucet. POST parameters can be also changed by users, but it is way harder for hackers, and you can set up additional security for POST parameters.

If users drained your faucet really fast, that means:
- they could potentially get your FaucetHub API key (make sure it is not public)
- your faucet doesn't have any timeouts between claiming or they can be easily bypassed
- it doesn't have necessary IP security from proxies (there are 3rd party scripts for that)

Always make sure that your site is 100% safe before you release it.
Check every single thing and play with parameters, try to crack it, or send your friends so they can verify if everything is good.

Rate limits can be also a good thing when you start your fresh faucet, I used it and tracked major issue with my faucet. Basically it's all in FaucetHub settings, you can limit how much Satoshi can be withdrawn from your faucet in a certain range of time.

Good luck with your faucet in the future.
tungaqhd
Hero Member
*****
Offline Offline

Activity: 1540
Merit: 508


View Profile
August 05, 2018, 06:31:35 PM
 #5

i remember that someone have noticed you about the problems of this script. most free scripts aren't safe enough and you have to custom it, and i think run a faucet on wp site is a bad idea because wp is a favorite object of hackers.
Adam556 (OP)
Full Member
***
Offline Offline

Activity: 953
Merit: 102


★★ freecoyn.com ★★


View Profile WWW
August 05, 2018, 07:08:40 PM
 #6

Thanks everyone for your really helpful comments and suggestions - that's what makes this community great!

I think I used the cooker cutter option because while I'm fascinated with bitcoin and faucets I'm not a coder so I was hoping for something I could use out of the box.

But it's back to the drawing board now. However, I'm going to persevere and hopefully launch a new and improved version soon.  Smiley

>> THECRYPTOADVISER.CO.UK - Crypto blog, guides, features & news <<
>> Freebitco.in - Win a LAMBO! Faucet, betting + EARN INTEREST on your BTC <<
>> Cointiply - high paying SURVEYS, BTC faucet, videos, Jackpot, PPC, PVP game soon <<
Kema
Full Member
***
Offline Offline

Activity: 630
Merit: 100



View Profile WWW
August 05, 2018, 07:29:12 PM
 #7

Just assume that all user input, get and post data is insecure.

Don't just short links, ezLink them!
casanova80
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
August 05, 2018, 09:11:52 PM
 #8

you need proper pentesting around JSON, code execution, API security, XSS.. Mainly Sanitising user input, someone was highly likely possibly slipped thru a malicious code somewhere, you need to prevent them to execute such codes and you must validate user input - if your issue is relative of course.
Adam556 (OP)
Full Member
***
Offline Offline

Activity: 953
Merit: 102


★★ freecoyn.com ★★


View Profile WWW
August 07, 2018, 04:01:28 PM
 #9

you need proper pentesting around JSON, code execution, API security, XSS.. Mainly Sanitising user input, someone was highly likely possibly slipped thru a malicious code somewhere, you need to prevent them to execute such codes and you must validate user input - if your issue is relative of course.

Thanks for all this. It's beyond me though! I'm looking into a new script, will test it publicly soon.

>> THECRYPTOADVISER.CO.UK - Crypto blog, guides, features & news <<
>> Freebitco.in - Win a LAMBO! Faucet, betting + EARN INTEREST on your BTC <<
>> Cointiply - high paying SURVEYS, BTC faucet, videos, Jackpot, PPC, PVP game soon <<
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!